General
-
Target
v8LCmD3G.bat
-
Size
195B
-
Sample
191216-2j3v7dn8ej
-
MD5
c92c184ca6583b05ef289ed468c3c77e
-
SHA1
ea6dd3da0b80473948f1fbaf255dcec5d0abb0f1
-
SHA256
89020b9c4772d552cedc03dabeb74aedbbd4dd6aff529044a0f671a74d47603b
-
SHA512
686e24834473dc41be5110683578a729097edb09a8a3c08789dead4d244641a1e966c6d9f1175cd7598561b8d0ae27f69b9957234702d39461afc3f477bbf052
Task
task1
Sample
v8LCmD3G.bat
Resource
win7v191014
Malware Config
Extracted
http://185.103.242.78/pastes/v8LCmD3G
Extracted
C:\2hm436z-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6EC83003EAFB7AB2
http://decryptor.top/6EC83003EAFB7AB2
Targets
-
-
Target
v8LCmD3G.bat
-
Size
195B
-
MD5
c92c184ca6583b05ef289ed468c3c77e
-
SHA1
ea6dd3da0b80473948f1fbaf255dcec5d0abb0f1
-
SHA256
89020b9c4772d552cedc03dabeb74aedbbd4dd6aff529044a0f671a74d47603b
-
SHA512
686e24834473dc41be5110683578a729097edb09a8a3c08789dead4d244641a1e966c6d9f1175cd7598561b8d0ae27f69b9957234702d39461afc3f477bbf052
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Program crash
-
Adds Run entry to start application
-
Checks for installed software on the system
-
Discovering connected drives
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-